Get the latest federal technology news delivered to your inbox.

Elections are one of the few facets of U.S. life done almost entirely offline.

When Hur­ricane Sandy hit in 2012, it threw New Jer­sey in­to an ad hoc ex­per­i­ment in on­line vot­ing.

The storm made land­fall just days be­fore the pres­id­en­tial elec­tion, and along with an es­tim­ated $30 bil­lion in dam­ages, it also wiped out hun­dreds of polling places, leav­ing many people without a place to vote. Bey­ond that, many res­id­ents were dis­placed from their homes, un­able to even re­ceive or cast an ab­sent­ee bal­lot by mail.

In a bid to keep the dis­placed from be­com­ing dis­en­fran­chised, the state turned to the in­ter­net for help. New Jer­sey Lt. Gov. Kim Guadagno launched the U.S. in­to an im­promptu ex­per­i­ment in mass on­line vot­ing—des­ig­nat­ing the cit­izens as “over­seas voters” and thereby grant­ing them the abil­ity to re­quest and re­turn bal­lots on­line, either by email or by fax.

Had New Jer­sey’s ex­per­i­ment gone well, it would have been a ma­jor vic­tory for ad­voc­ates of on­line vot­ing, who’ve long ar­gued that the in­ter­net could be a valu­able tool to pro­tect the right to vote and in­crease dis­mal U.S. vot­ing rates.

It did not, however, go well at all: Email serv­ers were over­whelmed, leav­ing voters un­able to re­quest or re­turn their bal­lots. In an at­tempt to fix the situ­ation, one elec­tions of­fi­cial gave out his per­son­al email ad­dress to voters to sub­mit their bal­lot re­quests—and a se­cur­ity re­search­er dis­covered that his pass­word re­cov­ery ques­tion was ap­par­ently his moth­er’s maid­en name after look­ing at Hot­mail’s pass­word-re­set form. The of­fi­cial says he was nev­er hacked.

A re­port from the Con­sti­tu­tion­al Rights Clin­ic at Rut­gers School of Law also chal­lenged the on­line-vot­ing ex­per­i­ment, ques­tion­ing both the con­sti­tu­tion­al­ity of al­low­ing voters to cast their bal­lots on­line and rais­ing con­cerns about the valid­ity and se­cur­ity of the elec­tions.

And they were not alone. Se­cur­ity ex­perts cried foul at the elec­tion, which saw an es­tim­ated 50,000 bal­lots cast elec­tron­ic­ally. They were con­cerned that voters’ per­son­al data was po­ten­tially ex­posed, and were wor­ried that there was an op­por­tun­ity for bal­lots to go un­coun­ted.

“We don’t know how many of these votes were ac­tu­ally coun­ted or shouldn’t have been coun­ted versus lost, or how many people tried to use this sys­tem but were un­able to get bal­lots,” Ed Fel­ten, who was then the dir­ect­or of Prin­ceton Uni­versity’s Cen­ter for In­form­a­tion Tech­no­logy Policy, told Al Jaz­eera in 2014. “We can’t meas­ure it, but cer­tainly there are in­dic­a­tions of over­flow­ing mail­boxes, big back­logs and prob­lems pro­cessing re­quests. So I don’t think you could con­clude at all that this was a suc­cess­ful ex­per­i­ment.”

The in­cid­ent un­der­scores both the po­ten­tial and the per­il of on­line vot­ing. The ad­vant­ages are many: it is con­veni­ent for a lot of voters, more ac­cess­ible for the eld­erly or those who can’t get off from work and still works in the case of a na­tion­al dis­aster.

But this butts up against one big, re­cur­ring prob­lem: des­pite its prom­ise, the pos­sib­il­ity of se­cur­ity fail­ures has thus far proved a nearly in­sur­mount­able hurdle. And that’s why, at a time when more Amer­ic­ans are us­ing the in­ter­net for their shop­ping, bank­ing, and even dat­ing, the vot­ing pro­cess has been al­most en­tirely un­touched by the di­git­al re­volu­tion.

One step for­ward, two steps back

“I don’t think we’re ready for it right now, in terms of se­cur­ity,” said Com­mis­sion­er Christy Mc­Cormick of the Elec­tion As­sist­ance Com­mis­sion, a fed­er­al agency that de­vel­ops vol­un­tary vot­ing-sys­tem guidelines and a sys­tem for ac­cred­it­ing vot­ing sys­tem test­ing labor­at­or­ies, along with provid­ing elec­tion-ad­min­is­tra­tion as­sist­ance. “I think the risk is still too high. Es­pe­cially when you see things like An­them and Tar­get and OPM … One of the most-de­sir­able hack­ing scan­dals would be to hack in­to the vot­ing sys­tems.”

That’s why mass ex­per­i­ments in di­git­al bal­lot­ing have been few and far between.

A ma­jor­ity of states already al­low cer­tain voters—typ­ic­ally ser­vice mem­bers and over­seas voters—to re­turn bal­lots on­line, either by email or by fax. Past that, there’s been lim­ited ex­per­i­ment­a­tion with an on­line-vot­ing sys­tem in­de­pend­ent from just email­ing a bal­lot in—loc­al jur­is­dic­tions like Hon­olulu, Hawaii, and the Dis­trict of Columbia have tested sys­tems, and Alaska star­ted to al­low voters to sub­mit ab­sent­ee bal­lots elec­tron­ic­ally in 2012—all to vary­ing de­grees of suc­cess.

In 2010, Wash­ing­ton D.C. planned on rolling out an on­line vot­ing sys­tem of its own. The sys­tem was in­ten­ded to al­low over­seas and ab­sent­ee voters to file their bal­lot elec­tron­ic­ally through the sys­tem. To test the se­cur­ity, the elec­tion board held a mock elec­tion and in­vited the pub­lic to test the sys­tem.

With­in 36 hours, a group from the Uni­versity of Michigan hacked the tri­al site. They changed the site to play the Michigan fight song after a voter cast their bal­lot. But the fight song was merely a demon­stra­tion for the lar­ger dam­age the group could have done. They were able to trash all the bal­lots sub­mit­ted be­fore their hack, re­pla­cing them with bal­lots that had write-in can­did­ates like “Skynet” and “Hal 9000.” For the bal­lots that were sub­mit­ted after the hack? They were able to view the en­cryp­ted bal­lot that a test voter sub­mit­ted, with that voter’s per­son­al in­form­a­tion still at­tached. The sys­tem was scrapped.

Be­sides D.C., sev­er­al loc­al jur­is­dic­tions have al­lowed their cit­izens, and not just ab­sent­ee ones, to vote on­line—in­clud­ing Hon­olulu’s neigh­bor­hood-board-sys­tem elec­tions.

The elec­tions for the 33 Hon­olulu neigh­bor­hood boards switched from a mailed pa­per bal­lot to a purely on­line sys­tem run by Every­one Counts, a private on­line-vot­ing com­pany, in 2009 after the city coun­cil cut the budget of the of­fice that ad­min­is­ters the elec­tion, ac­cord­ing to Bry­an Mick, a com­munity re­la­tions spe­cial­ist with the Hon­olulu Neigh­bor­hood Com­mis­sion Of­fice. In 2007, they had a sys­tem that al­lowed for both mail and on­line vot­ing.

Mick said that the purely on­line sys­tem only cost them a third to a half of what the ab­sent­ee sys­tem cost—but they saw turnout rates drop down to 8.5 per­cent in the first purely on­line elec­tion, which has gradu­ally in­creased to over 10 per­cent in the most re­cent one. Earli­er elec­tions, where the mail-vot­ing sys­tem was used, saw turnout rates in the low 20s.

He says that on the up­side, these elec­tions showed Hon­olulu voters that on­line vot­ing can be done safely on­line after Every­one Counts flew in­to the com­munity to give les­sons on on­line se­cur­ity.

The 2013 Hon­olulu elec­tions also re­ceived a Bright Ideas award from the Ash Cen­ter at the Har­vard Kennedy School.

Per­haps the most dur­able for­ay in­to on­line demo­cracy thus far comes in Es­to­nia, where cit­izens have been vot­ing elec­tron­ic­ally for par­lia­ment­ary elec­tions since 2007. Their sys­tem veri­fies voters either through a scan­nable ID card or a mo­bile phone, lets them cast a bal­lot on­line and then en­crypts and re­moves a voter’s sig­na­ture from the bal­lot for the Na­tion­al Elect­or­al Com­mit­tee to count. The coun­try saw a re­cord 176,328 bal­lots cast on­line in 2015, roughly 20 per­cent of the total num­ber of bal­lots.

But cy­ber­se­cur­ity ex­perts don’t paint as rosy of a pic­ture of the sys­tem as Es­to­ni­an of­fi­cials do. An in­de­pend­ent re­view of the sys­tem in 2014 found a laun­dry list of prob­lems that in­cluded a crip­pling flaw for an on­line-vot­ing sys­tem: the fact that re­search­ers were able to demon­strate how to rig the vote count on a dummy Es­to­ni­an sys­tem. The re­port also found that there was not a suf­fi­cient level of “ba­sic se­cur­ity prac­tices” by ad­min­is­trat­ors of the sys­tem and there was not enough trans­par­ency built in­to the sys­tem to “provide com­pel­ling proof that elec­tion out­comes are cor­rect.”

Ul­ti­mately, the team sug­ges­ted pulling the plug on on­line vot­ing. “What Es­to­nia would come back and say is ‘Well, no one has hacked it, so it is OK,’” said Jason Kit­cat, one of the mem­bers of the Es­to­ni­an re­port team. “That is a non-proof. If it was a state level at­tack­er … they’re not go­ing to say ‘Hey every­one. By the way, we’ve hacked your on­line votes.’ That’s not in their in­terests. If they are go­ing to do it, they’re go­ing to do it un­detect­ably.”

Hope for the fu­ture?

For pro­ponents of on­line vot­ing, the struggles in D.C. and after Sandy do not mean that on­line vot­ing is im­possible to do cor­rectly. In­stead, they see them as cau­tion­ary tales, proof of the ne­ces­sity for care­ful se­cur­ity.

“The D.C. ex­ample is a per­fect ex­ample be­cause the real­ity of on­line vot­ing isn’t that it either is or isn’t se­cure. It is how you de­ploy it, just like any elec­tion,” said Lori Steele Contor­er, the pres­id­ent of Every­one Counts. “Each of the im­port­ant se­cur­ity pro­to­cols with­in the [D.C.] sys­tem would breach Se­cur­ity 101.”

Steele Contor­er also said that email­ing bal­lots, like in the con­tin­gency plan im­ple­men­ted in the wake of Sandy, is an in­cred­ible in­sec­ure way to trans­mit bal­lots—something that both on­line vot­ing ad­voc­ates and cy­ber­se­cur­ity ex­perts broadly agree on.

Every­one Counts, which did not run the D.C. sys­tem, has also made in­roads with on­line elec­tions in the United States. The com­pany has fa­cil­it­ated lim­ited on­line vot­ing in states such as West Vir­gin­ia and Alabama as well as in­ter­na­tion­ally. They also run private-sec­tor elec­tions, in­clud­ing the votes for the Academy Awards and the Emmys.

Steele Contor­er says Every­one Counts pro­tects their bal­lots us­ing “mil­it­ary-grade” en­cryp­tion, and have mul­tiple levels of pre­vent­ive meas­ures in place to catch and re­verse any po­ten­tial bal­lot tam­per­ing.

But the cy­ber­se­cur­ity com­munity is still not con­vinced that on­line vot­ing is ready for prime time.

“They’re pre­tend­ing like vot­ing is no dif­fer­ent than buy­ing a book on Amazon, and they’re com­pletely, by vir­tue of ig­nor­ance or malice, ig­nor­ing the truth of the world,” said Joe Kiniry, a cy­ber­se­cur­ity re­search­er. “The simplest way to check the vera­city of their state­ments is to call up any se­cur­ity re­search­er in the world that you find on­line who has made pub­lic state­ments about end-to-end veri­fi­able elec­tions and ask them. And you will find that 999 out of 1000 will tell you that [the likes of] Every­one Counts, [oth­er on­line vot­ing venders], and Es­to­nia are full of shit.”

One con­cern of cy­ber­se­cur­ity ex­perts is pro­tect­ing both the an­onym­ity of a voter, and al­low­ing the voter to prove that their vote was ac­tu­ally cast. In an on­line pur­chase, both the mer­chant and cred­it-card com­pany or bank at­tach the cus­tom­er’s name to the pur­chase. Pur­chases are tied back to in­di­vidu­als—something cus­tom­ers want so that they can veri­fy their pur­chases.

But an on­line-vot­ing sys­tem would need to sep­ar­ate the two—a voter’s iden­tity from their bal­lot—to pro­tect voter an­onym­ity. In that case, how can that voter be con­fid­ent that their vote is coun­ted at the end of the day?

“Vot­ing is dif­fer­ent from bank­ing be­cause of the pri­vacy is­sue,” said Mc­Cormick. “The bank has to know who you are when you deal with them in bank­ing. But when you vote, you still have to make sure that per­son still has the right to secrecy of the bal­lot. That part we haven’t figured out yet.”

Mul­tiple threats

An­oth­er con­cern of se­cur­ity ex­perts is the po­ten­tial reach of a vot­ing sys­tem. Cy­ber­se­cur­ity ex­perts say that vot­ing sys­tems have many points of at­tack. A sys­tem would have to more to pro­tect than one or two cent­ral com­puters—it would need to safe­guard every ma­chine that a voter uses to con­nect.

“Your vot­ing sys­tem, for an in­ter­net vot­ing sys­tem, is not some su­per secret locked down serv­ers sit­ting in a room,” said Kiniry. “Your vot­ing sys­tem is ac­tu­ally every com­puter ever used in the elec­tion talk­ing to those serv­ers. So sud­denly in­stead of one locked down serv­er you have to pro­tect, it is every phone, every laptop, every un­patched Win­dows 98 sys­tem that any voter in that jur­is­dic­tion uses.”

A sep­ar­ate prob­lem with the sys­tem is like the di­git­al equi­val­ent of long lines at a polling place. But when too many people try to ac­cess a vot­ing sys­tem on­line there isn’t just a long wait. In­stead, the whole sys­tem could go down.

A sys­tem could also be taken down by traffic both in­ten­tion­ally or un­in­ten­tion­ally. Be­sides a wave of last minute, well-in­ten­tioned voters shut­ting down an on­line vote, the vot­ing sys­tem could also suf­fer a deni­al of ser­vice at­tack—where someone look­ing to in­ter­fere with an elec­tion floods a serv­er with traffic, mak­ing it in­ac­cess­ible to a voter. If a deni­al of ser­vice at­tack hap­pens, either be­nign or ma­li­cious, an en­tire elec­tion could be de­railed.

“With elec­tion days, we don’t get to say ‘hey, we’re go­ing to add an­oth­er day’ be­cause we had a deni­al-ser­vice prob­lem,” said Pamela Smith, the pres­id­ent of Veri­fied Vot­ing, an elec­tion-trans­par­ency-ad­vocacy group. “Most people tend to leave it for the last minute. If they did leave it for the end and then there was a deni­al-of-ser­vice at­tack on that day, they’re out of luck.”

However, elec­tion of­fi­cials and cy­ber­se­cur­ity ex­perts are aware that the clam­or for on­line vot­ing prob­ably can’t be held off forever.

“One way or the oth­er, we’re headed in that dir­ec­tion, people want to vote the way we live. People ex­pect it,” said Mc­Cormick. “But at this point, the se­cur­ity isn’t there. … I think we’ll get there at some point, but I don’t know when that will be. Wheth­er that is 5 years or 20 years, I don’t know. But I don’t think we’re ready for it right now.”

What would the per­fect sys­tem look like?

Kiniry and oth­er re­search­ers at Galois pre­pared a re­port for U.S. Vote Found­a­tion that laid out their ideal on­line vot­ing sys­tem to strive for, which cru­cially in­cluded a re­com­mend­a­tion for mak­ing any fu­ture sys­tem open-source—mean­ing any­one can look at the cod­ing of the sys­tem to hunt for in­sec­ur­it­ies or bugs.

The re­port also ad­voc­ates that an on­line vot­ing sys­tem be “end-to-end veri­fi­able”, mean­ing voters can check that the sys­tem re­cor­ded their vote cor­rectly, that their vote is in­cluded in the fi­nal tally, and that any voter can check the coun­ted votes to make sure they match the end res­ults of the elec­tion.

And both sides re­cog­nize that tra­di­tion­al vot­ing meth­ods are far from in­fal­lible. Be­sides the long lines at polling places, older vot­ing meth­ods have to grapple with mail fraud, ma­chine er­ror (like 2000’s in­fam­ous hanging chads), weath­er keep­ing voters away, people who want to vote be­ing un­able to com­mit the time to wait­ing, and oth­er un­fore­seen prob­lems.

And even those op­posed to on­line vot­ing see that there is some room for tech­no­logy. On­line voter re­gis­tra­tion is wide­spread and a wel­comed prac­tice, Mc­Cormick said.

“I think it is un­reas­on­able to say you can’t use tech­no­logy in any demo­crat­ic par­ti­cip­a­tion what­so­ever,” said Kit­cat. “Just in the same way, you might be more than happy to send $100 through PayP­al, you prob­ably wouldn’t send $1 mil­lion through PayP­al. You have to use the ap­pro­pri­ate tool to the ap­pro­pri­ate level of risk.”

Just like any on­line (or off­line) trans­ac­tion, an on­line sys­tem will nev­er be 100 per­cent se­cure. Ul­ti­mately, elec­tion of­fi­cials and voters will have to de­cide how much risk they’re will­ing to tol­er­ate for the pure con­veni­ence and ac­cess­ib­il­ity that an on­line sys­tem of­fers. And for many vot­ing ad­voc­ates and se­cur­ity spe­cial­ists, that risk level is just too high right now to make the trans­ition on­line.

“On­line bank­ing is a huge suc­cess, but we ex­pect a re­l­at­ively high cost in the sense of fraud and loss in any giv­en day, but we still gain far more value out of that,” said Kath­ryn Peters, a cofounder and chief op­er­at­ing of­ficer of Demo­cracy Works, a group that aims to stream­line elec­tions. “The prob­lem with on­line vot­ing is … that’s a cost that his­tor­ic­ally we have not been will­ing to con­sider in terms of an elec­tion out­come, in be­ing able to re­view that it is com­pletely free and fair. To be hon­est, a zero- or min­im­al-risk tol­er­ance in elec­tions makes sense from a policy per­spect­ive.”